[SECURITY-L] CAIS-Alerta: Multiplas Vulnerabilidades em Produtos Oracle
CSIRT - UNICAMP
security em unicamp.br
Seg Maio 2 15:27:30 -03 2005
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Multiplas Vulnerabilidades em Produtos Oracle
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Fri, 29 Apr 2005 18:12:33 -0300 (BRST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta da US-CERT, intitulado "Oracle Products
Contain Multiple Vulnerabilities" , que trata de uma serie de
vulnerabilidades encontradas em diversos produtos Oracle, que podem levar
a execucao remota de codigo, negacao de servico (DoS) e a obtencao de
informacao privilegiada.
A Oracle lancou uma atualizacao (patch) para seus produtos, que corrige
mais de 70 vulnerabilidades encontradas em diversos produtos da empresa,
incluindo servidores de banco de dados, servidores de aplicacao e o Oracle
HTTP Server, que e' baseado no servidor open-source Apache.
Sistemas afetados:
. Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4
. Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
. Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4, (9.0.1.5 FIPS)
. Oracle8i Database Server Release 3, version 8.1.7.4
. Oracle Application Server 10g Release 2 (10.1.2)
. Oracle Application Server 10g (9.0.4), versions 9.0.4.0,9.0.4.1
. Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
. Oracle9i Application Server Release 1, version 1.0.2.2
. Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
. Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10
. Oracle E-Business Suite and Applications Release 11.0
. Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,10.1.0.3
. Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
. PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
. PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher
Correcoes disponiveis:
As correcoes devem ser obtidas junto ao fabricante, visitando o endereco
abaixo para maiores informacoes:
. http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Mais informacoes:
. Critical Patch Update - April 2005 - http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
. Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm
. US-CERT Vulnerability Note VU#948486 - http://www.kb.cert.org/vuls/id/948486
. US-CERT Vulnerability Note VU#982109 - http://www.kb.cert.org/vuls/id/982109
O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos
sempre atualizados, de acordo com as ultimas versoes e correcoes
oferecidas pelos fabricantes.
Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:
http://www.rnp.br/cais/alertas/rss.xml
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
Technical Cyber Security Alert TA05-117A
Oracle Products Contain Multiple Vulnerabilities
Original release date: April 27, 2005
Last revised: --
Source: US-CERT
Systems Affected
From the Oracle Critical Patch Update - April 2005:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,
10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle
Application Server only)
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle
Application Server only)
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Application Server 10g Release 2 (10.1.2)
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0,
9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions
11.5.0 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,
10.1.0.3
* Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
* PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
* PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher
Overview
Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.
I. Description
Oracle released a Critical Patch Update in April that addresses
more than seventy vulnerabilities in different Oracle products and
components. The Critical Patch Update provides information about
which components are affected, what access and authorization are
required, and how data confidentiality, integrity, and availability
may be impacted.
US-CERT strongly recommends that sites running Oracle review the
Critical Patch Update, apply patches, and take other mitigating
action as appropriate.
Oracle HTTP Server is based on the Apache HTTP Server. According to
Oracle, the Critical Patch Update addresses a number of previously
disclosed Apache vulnerabilities. Oracle Database Client-only
installations are not affected.
US-CERT is tracking all of these issues under VU#948486. As further
information becomes available, we will publish individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary depending on product or
component and configuration. Potential consequences include remote
execution of arbitrary code or commands, information disclosure,
and denial of service. An attacker who compromises an Oracle
database may be able to gain access to sensitive information.
III. Solution
Apply a patch
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - April 2005. The update notes that some
Oracle patches are cumulative while others are not:
The Oracle Database Server, Enterprise Manager, and the Oracle
Application Server patches for this Critical Patch Update are
cumulative, and contain all the fixes from the previous Critical
Patch Update.
...
E-Business Suite patches are not cumulative, so E-Business Suite
customers should refer to previous Critical Patch Updates to
identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle
Collaboration Suite customers should refer to previous Critical
Patch Updates to identify previous fixes they wish to apply.
Workarounds
It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components and restricting network access.
Revoking PUBLIC EXECUTE privileges from vulnerable stored
procedures may reduce the impact of SQL injection vulnerabilities
(VU#982109). For more specific workarounds please see the
individual Vulnerability Notes.
Oracle Critical Patch Update - April 2005 contains a workaround for a
vulnerability in PeopleSoft.
Appendix A. Vendor Information
Oracle
Please see Oracle Critical Patch Update - April 2005 and Critical
Patch Updates and Security Alerts.
Appendix B. References
* Critical Patch Update - April 2005 -
<http://www.oracle.com/technology/deploy/security/pdf/
cpuapr2005.pdf>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/
public_vuln_to_advisory_mapping.html>
* Comments on Oracle Critical Patch Update April 2005 -
<http://www.red-database-security.com/wp/
comments_oracle_cpu_april_2005_us.pdf>
* NGSSoftware Oracle Database vulnerabilities -
<http://www.ngssoftware.com/advisories/oracle-03.txt>
* US-CERT Vulnerability Note VU#948486 -
<http://www.kb.cert.org/vuls/id/948486>
* US-CERT Vulnerability Note VU#982109 -
<http://www.kb.cert.org/vuls/id/982109>
_________________________________________________________________
Thanks to Alexander Kornbrust of Red-Database-Security GmbH.
Information used in this document came from Red-Database-Security and
Oracle. Oracle credits NGS Software Ltd., Integrigy, and Application
Security, Inc.
_________________________________________________________________
Feedback can be directed to the authors: Art Manion and Jeff Gennari.
Send mail to <cert em cert.org>.
Please include the Subject line "TA04-315A Feedback VU#948486".
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document is available at:
<http://www.us-cert.gov/cas/techalerts/TA05-117A.html>
_________________________________________________________________
Revision History
April 27, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQnKjTekli63F4U8VAQHfyAP9HIdgMhgB04cPThESiNr1Crnn9b4VAToR
MndrYVSM50E3fBC04TfaAAlX7wHIQR9aS/lkUQAKbuw8RLKRkplD9EUocFDtPg6o
G9Q7//Hpk8F9wz7+Q2Sh5TczFr5urED/haVwBm+hYJI0szQ4eaoohySOMQ+fgfio
qC+uY7zunQY=
=3+LA
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L